A have some mikrotik devices connected with L2TP/IPsec on a hEX (v6.48.4).
I search to connect with winbox to each mikrotik devices. This L2TP is ONLY for admin the router, not sharing any data through the VPN.
So, i want try to connect on my hEX who manage all L2TP client with winbox on a specific public port, like 10012 and NAT this connection to the mikrotik device to admin (8291) through the VPN.
L2TP IP device : 10.0.0.14
Local IP L2TP on hEX : 10.0.0.15
Public IP for exemple : 54.0.0.2
Public port on hEX redirected : 10012
I have tried to add a NAT rule with dsnat // tcp // dst port : 10012 // to address : 10.0.0.14 // to port 8291
I see the packet on hEX but nothing go to 10.0.0.14
Hi,
have you tried using Source NAT together with Destination NAT?
Once you open communication with your hEX on specific dst port, you are using your public IP as a source. hEX forwards the traffic to the L2TP tunnel, but the source IP remains the same.
I’d say when you connect to “54.0.0.2:10012”, the device you’re trying to manage receives the traffic, but tries to reply to your public IP, instead of replying back to source-NATted address via L2TP tunnel.
I don’t understand how can i use chain = srcnat + dst address and action = dst-nat?
For information, i have missed a detail. My router before my hEX is not in bridged mode. So i have “Router public adress” → “192.168.0.240” (Wan IP for the hEX)
I do not understand the request.
Draw a network diagram and then speak to the diagram.
In general, If you have established a VPN to a router, you are basically connected to the router at the VPN interface.
Its not really a WAN interface and its not really a LAN interface.
I think of it as a fake LAN interface, in that its at the LAN level but you need to
a. tell the router that you want upward access to the router (to configure the router via the admin remotely using winbox for example)
b. tell the router that you want sideways access to the other LAN entities. (to access entities or to configure Lan devices via the admin remotely using winbox)
In general, you will need a route on the ROUTER to ensure remote incoming traffic is routed back through the tunnel and not out the internet for example.
Meta descriptions can be any length, but Google generally truncates snippets to ~155–160 characters. It’s best to keep meta descriptions long enough that they’re sufficiently descriptive, so we recommend descriptions between 50–160 characters. Keep in mind that the “optimal” length will vary depending on the situation, and your primary goal should be to provide value and drive clicks.
Okay your ISP modem is NOT a modem.
Its a modem router and your hex is getting a private IP from the ISP device and not a public IP.
Hence do you have access to the ISP modem router? Normally one can at least do something called port forwarding.
Also do you have any other subnets on the HEX besides L2TP>
I dont understand your hex subnet structure so a diagram detailing that would be helpful.
I am not aware that the MT L2TP includes a subnet either, typically you get a single IP address and that is your interface into the router, separate but like at the LAN lever.
You need input chain rule to allow L2TP interface config the router and also need Forward chain rules to allow L2TP access to LAN segments, and
finally you need an IP route to point traffic coming from home back to home through the tunnel.
Also besides diagram please post your config.
/export hide-sensitive file=anynameyouwish
Yes, it’s a router with nated rules. I have access to the router, the curent config is : NAT to 192.168.0.240 // TCP // Ports : 10000-10100
Only the ETH1 and 2 are used (Ether3 is down).
I used the L2TP config only to access on client behind a CGNAT, on LTE operators. The goal is only to access of each mikrotik with winbox. hEX_DUDE.rsc (5 KB)
